Selecting a Secure Enterprise OS: Don't Make the First Step the Wrong Step

It's pretty common to focus on functionality when choosing an operating system, particularly for businesses with specific technical needs. But Bruce Potter warns that making your selection without paying due attention to the operating system's security issues may hit hard in the long term.

From the author of

From the author of

Selecting an operating system for use in your enterprise can be a complicated
decision. Licensing costs, supported software, hardware options, reliability,
and current administration capabilities all are part of the equation. Security
is also a concern, but sometimes it's difficult to determine what
"security" really means with respect to selecting an operating system.
Further, the major operating system choices have a great deal of marketing hype
with respect to security, but it's hard to cut through the hype and make a
decision that's best for your environment.

Ultimately, the choice you make in operating systems for your enterprise is a
choice you'll have to live with for years. Migrating from one operating
system to another can be an expensive proposition. So it's best to make
your choice in an educated manner. Security, while maybe not your highest
priority, is an aspect of the operating system that will certainly have
long-term ramifications. This article provides one view of operating system
security that I hope will help you in your decision. While I have my own opinion
on what OS you should choose—I'll just tell you upfront that I'm
a FreeBSD zealot—I'm going to try not to let my opinions get in the
way of the facts at hand.

Operational Security

In order to understand which OS meets your needs, you must understand what
"security" really means in an operational construct. Operational
security is about the ability to maintain a secure and robust environment
over the long term. It's not enough to have a single host system
that's resilient to attack in the here and now; all the systems in the
enterprise have to be able to stay secure as technologies, attacks, and
applications change.

Anyone can be trained to lock down a host. There are host lockdown guidelines
from the likes of Microsoft and
NIST
that are very well done and are easy to follow. Any reasonably savvy IT
professional can follow these directions and make a system difficult to
compromise. But ultimately, these procedures are really just part of the
equation. If you have to constantly change your system configuration or
don't have any idea of how the security of your operating system is going
to change from version to version, then you still haven't achieved
operational security.

The manner in which your operating system is developed can have a profound
impact on your enterprise. Operating system development encompasses the entire
lifecycle of the software. How it's planned, designed, implemented, tested,
and maintained ultimately affect your environment, but the effects are a matter
of debate. Some would say that a rigorous, structured process is the only way to
create secure and scalable software. This is a very corporate view of software
development and is commonly evangelized in complex systems development. However,
others would argue that simply using a process doesn't mean that the
software is really more secure—just that it was developed in a consistent
manner.

Conversely, the open source world tends to take a different view of this
problem. A large number of developers developing software in a relatively ad hoc
manner puts more eyeballs on the code and forces only "important"
things to be integrated. This development model may create software that has the
correct feature set, but there's nothing inherent in it that addresses
security concerns at a tactical or architectural level.

The three major operating systems in use in datacenters (Microsoft Windows,
Linux, and FreeBSD) have three very different development models. Let's
take a look at each and consider how the development process affects
security.